supported. The security policies are represented by sets of access rules which may be loaded into 
the firewall by a system administrator. For example, in one embodiment, a single firewall supports 
multiple users, each with a separate security policy. The particular rule set that is then applied at the 
firewall for any packet may be determined based on some piece of information associated with the 
packet such as, for example, incoming and outgoing network interfaces, as well as network source 
and destination addresses. Thus, the invention effectively provides a hierarchical rule selection 
procedure. That is, before a rule is applied to a particular packet, the appropriate set of rules is first 
selected and then, a rule from the selected set is applied to the packet. 

Shwed is a system for securing inbound and outbound data packet flow in a computer 
network by employing security rules in appropriately placed packet filters. Each packet filter may 
handle multiple security rules, as mentioned at column 4, lines 23-26. The Shwed system identifies 
hardware devices controlled by the packet filters as obj ects. These obj ects can be grouped depending 
on their application, e.g., finance department, research and development department, directors of a 
company protected by the system. Thus, Shwed permits the control of data flow not only to 
individual devices on its network, but also to groups of devices. One example of rule selection in 
accordance with such grouping ability is discussed at column 4, line 58-65. There it is explained 
that, in accordance with the Shwed system, it is possible to have the chief financial officer, as well 
as other higher ranking officials of the company, be able to communicate directly with the finance 
group, but filter out communications from other groups. Further, it is possible to allow e-mail from 
all groups, but to limit other requests for information to a specified set of computers. This is 
accomplished by appropriate placement of packet filters and application of a single set of rules 
within each filter. That is, as explained at column 7, line 1 8+, a packet is received by a packet filter, 
compared with a security rule and a determination is made whether or not the packet matches the 
rule. If the packet matches the rule, a decision may be made to pass or drop the packet based on the 
requirements of the security rule. If the packet doesn't match the rule, then a next rule in the rule 
set is examined in a similar fashion. Thus, in a manner much like any conventional ordered rule set 
system, the Shwed system handles group requirements, such as those mentioned in the example 
above, by simply defining the rules in the single rule set in order to implement the group 
requirements. 
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Rule selection in the Shwed system is therefore significantly different than that provided by 
the claimed invention. As explained above, the invention provides for first selecting a rule set and 
then applying a rule from the set. Such a hierarchical approach not only provides for greater rule 
selection and application flexibility, but also faster overall rule processing for a given packet. 

For example, independent claim 1 recites the step of "selecting at least one of a plurality of 
security policies as a function of [a] session key" derived for a packet and then using the selected 
security policy in validating the packet. Independent claim 8 recites "designating a plurality of 
independent security policies, with each of the security policies including a set of access rules; 
determining which security policy is appropriate for the packet; and validating the packet using the 
set of access rules of the determined security policy." Independent claim 12 has similar limitations 
as claim 8. Independent claim 17 recites "means for selecting at least one of a plurality of security 
policies as a function of [a] data item" obtained from a request for a session and then using the 
selected security policy in validating packets of the session. Independent claim 22 has similar 
limitations as claim 17. Thus, each claim defines this novel rule selection approach based on first 
selecting a policy, e.g., set of rules, and then using the selected policy to process one or more 
packets. Shwed clearly fails to teach or suggest use of such multiple security policies. 

Lastly, independent claim 16 recites "segmenting access rules into a plurality of domains; 
and administering the access rules such that only an administrator for a given domain is permitted 
to modify rules of a security policy for that domain." Again, the claim defines multiple security 
policies through the segmentation of access rules into a plurality of domains. This is neither taught 
nor suggested in Shwed. 

The Office Action contends that "[i]t would have been obvious to one of ordinary skill in the 
art, at the time the invention was made, to allow the creation of specific security rules for a particular 
sub-group of network objects, because this could be accomplished with little modification to the 
Shwed system, and because the creation of independent security policies by the creation of multiple 
sets of rules would give users of the Shwed system the benefits of hierarchies of security." However, 
applicants respectfully contend this is merely conclusory and, in any case, a hindsight application 
of the reference. As stated above, Shwed does no more than a conventional ordered rule set system 
in applying a single rule set to a packet wherein the rules of the set are simply defined to effectuate 
certain actions on a variety of objects. The fact that the objects may be partitioned into groups does 
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not change the fact that only one rule set is used. There is no suggestion whatsoever to apply a 
hierarchical rule selection procedure as in the claimed invention. 

Accordingly, it is respectfully asserted that independent claims 1, 8, 12, 16, 17 and 22 are 
patentably distinguishable over Shwed and therefore in condition for allowance. Also, due at least 
to their respective dependence on such independent claims, it is further respectfully asserted that 
claims 2-7, 9-11, 13-15, 18-21 and 23-26 are patentably distinguishable over Shwed and therefore 
in condition for allowance. Reconsideration is respectfully requested. 

A Supplemental Information Disclosure Statement (IDS) is being filed concurrent with this 
response. 
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